Analysis
-
max time kernel
156s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe
Resource
win10v2004-en-20220112
General
-
Target
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe
-
Size
80KB
-
MD5
7ea1ebb599c76c0013e90bb7a9bed017
-
SHA1
78ef8698d9e515e1ed0676aafd89e4afb6efa782
-
SHA256
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335
-
SHA512
970e8462e231f826fd25abb030e0c03d71da270b5b0a93baff1127382fbc580ee3a119c70b4265e0944167196ebc710b2f86cad4ee1b4a55aa58e24094c37b8f
Malware Config
Signatures
-
Sakula Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula \Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1764 MediaCenter.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 856 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exepid process 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exedescription pid process Token: SeIncBasePriorityPrivilege 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.execmd.exedescription pid process target process PID 1656 wrote to memory of 1764 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe MediaCenter.exe PID 1656 wrote to memory of 1764 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe MediaCenter.exe PID 1656 wrote to memory of 1764 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe MediaCenter.exe PID 1656 wrote to memory of 1764 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe MediaCenter.exe PID 1656 wrote to memory of 856 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe cmd.exe PID 1656 wrote to memory of 856 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe cmd.exe PID 1656 wrote to memory of 856 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe cmd.exe PID 1656 wrote to memory of 856 1656 16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe cmd.exe PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE PID 856 wrote to memory of 2032 856 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe"C:\Users\Admin\AppData\Local\Temp\16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\16a13805ad37939d6f070dff5f4bd4b732a8c0371ccd0a137978ed31948b0335.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7df53cdf0dd4032f9cc58b8a7454ff28
SHA1a4439122cde0bbaf32b59b4a875ea6c9deda1757
SHA256dc12a3d7c4044ff13f67eaffb92f0edaf3d4a657023e7d9f34569cf123a33497
SHA512d54d7f11c3d7da3174c2b31dc8159798040bd55ba242af1a46bc7a95fcd86f1fd1c8851234af99740a07efe272d375784bd2dd3a402df9c18d47877b51d56d3a
-
MD5
7df53cdf0dd4032f9cc58b8a7454ff28
SHA1a4439122cde0bbaf32b59b4a875ea6c9deda1757
SHA256dc12a3d7c4044ff13f67eaffb92f0edaf3d4a657023e7d9f34569cf123a33497
SHA512d54d7f11c3d7da3174c2b31dc8159798040bd55ba242af1a46bc7a95fcd86f1fd1c8851234af99740a07efe272d375784bd2dd3a402df9c18d47877b51d56d3a
-
MD5
7df53cdf0dd4032f9cc58b8a7454ff28
SHA1a4439122cde0bbaf32b59b4a875ea6c9deda1757
SHA256dc12a3d7c4044ff13f67eaffb92f0edaf3d4a657023e7d9f34569cf123a33497
SHA512d54d7f11c3d7da3174c2b31dc8159798040bd55ba242af1a46bc7a95fcd86f1fd1c8851234af99740a07efe272d375784bd2dd3a402df9c18d47877b51d56d3a